Did you see the Bundler vulnerability recently? It seems Bundler switches to a different source every time it sees a new one in a Gemfile. Even if that source was only for one gem. So Bundler might load gems from unexpected sources. You’ve got that source in your Gemfile, so you already trust it to some extent. But we should probably use the several source blocks as described in the original blog post. And now for something completely different:
Some Cross-Origin Resource Sharing (CORS) misconfiguration misconceptions
Password Reset URLs may be leaked to third-party tools via the
Refererheader. Fix this on your site if you care about a second layer of defense.
A Content-Security-Policy test tool to come up with the best policy in the first place. By Google.